.\" 
.\" makecert manual page.
.\" Copyright 2003 Motus Technologies
.\" Copyright 2004-2005, 2011 Novell
.\" Author:
.\"   Sebastien Pouliot (sebastien@ximian.com)
.\"
.TH Mono "MakeCert"
.SH NAME
MakeCert \- Create X.509 certificates for test purposes
.SH SYNOPSIS
.PP
.B makecert [options] certificate
.SH DESCRIPTION
Create an X.509 certificate using the provided informations. This
is useful for testing Authenticode signatures, SSL and S/MIME
technologies.
.SH PARAMETERS
.TP
.I "-# num"
Specify the certificate serial number.
.TP
.I "-n dn"
Specify the subject Distinguished Name (DN).
.TP
.I "-in dn"
Specify the issuer Distinguished Name (DN).
.TP
.I "-r"
Create a self-signed, also called root, certificate.
.TP
.I "-iv pvkfile"
Specify the private key file (.PVK) for the issuer. The private key in the 
specified file will be used to sign the new certificate.
.TP
.I "-ic certfile"
Extract the issuer's name from the specified certificate file - i.e. the
subject name of the specified certificate becomes the issuer name of the
new certificate.
.TP
.I "-in name"
Use the issuer's name from the specified parameter.
.TP
.I "-ik container"
Specify the key container name to be used for the issuer.
.TP
.I "-iky [signature | exchange | #]"
Specify the key number to be used in the provider (when used with -ik).
.TP
.I "-ip provider"
Specify the cryptographic provider to be used for the issuer.
.TP
.I "-ir [localmachine | currentuser]"
Specify the provider will search the user or the machine keys containers for
the issuer.
.TP
.I "-iy number"
Specify the provider type to be used for the issuer.
.TP
.I "-sv pkvfile"
Specify the private key file (.PVK) for the subject. The public part of the
key will be inserted into the created certificate. If non-existant the 
specified file will be created with a new key pair (default to 1024 bits RSA
key pair).
.TP
.I "-sk container"
Specify the key container name to be used for the subject.
.TP
.I "-sky [signature | exchange | #]"
Specify the key number to be used in the provider (when used with -sk).
.TP
.I "-sp provider"
Specify the cryptographic provider to be used for the subject.
.TP
.I "-sr [localmachine | currentuser]"
Specify the provider will search the user or the machine keys containers for
the subject.
.TP
.I "-sy number"
Specify the provider type to be used for the issuer.
.TP
.I "-a hash"
Select hash algorithm. Only MD5 and SHA1 algorithms are supported.
.TP
.I "-b date"
The date since when the certificate is valid (notBefore).
.TP
.I "-e date"
The date until when the certificate is valid (notAfter).
.TP
.I "-m number"
Specify the certificate validity period in months. This is added to the
notBefore validity date which can be set with -b or will default to the 
current date/time.
.TP
.I "-cy [authority|end]"
Basic constraints. Select Authority or End-Entity certificate. Only Authority
certificates can be used to sign other certificates (-ic). End-Entity can
be used by clients (e.g. Authenticode, S/MIME) or servers (e.g. SSL).
.TP
.I "-h number"
Add a path length restriction to the certificate chain. This is only 
applicable for certificates that have BasicConstraint set to Authority (-cy 
authority). This is used to limit the chain of certificates than can be
issued under this authority.
.TP
.I "-alt filename"
Add a subjectAltName extension to the certificate. Each line from 'filename'
will be added as a DNS entry of the extension. This option is useful if you
want to create a single SSL certificate to work on several hosts that do not
share a common domain name (i.e. CN=*.domain.com would not work).
.TP
.I "-eku oid[,oid]"
Add some extended key usage OID to the certificate.
.TP
.I "-p12 pkcs12file password"
Create a new PKCS#12 file containing both the certificates (the subject and
possibly the issuer's) and the private key. The PKCS#12 file is protected 
with the specified password. This option is
.B mono exclusive.
.TP
.I "-?"
Help (display this help message)
.TP
.I "-!"
Extended help (for advanced options)
.SH EXAMPLES
.PP
To create a SSL test (i.e. non trusted) certificate is easy
once your know your host's name. The following command will create a 
test certificate for an SSL server:
.nf
	$ hostname 
	pollux

	$ makecert -r -eku 1.3.6.1.5.5.7.3.1 -n "CN=pollux" -sv pollux.pvk pollux.cer
	Success
.fi
.PP
In particular in the above example, the parameters used to build this
test certificate were:
.TP 
.I "-r"
Create a self-signed certificate (i.e. without an hierarchy). 
.TP
.I "-eku 1.3.6.1.5.5.7.3.1"
Optional (as sadly most client don't require it). This indicates that
your certificate is intended for server-side authentication.
.TP 
.I "-n \"CN=pollux\""
Common Name (CN) = Host name. This is verified the SSL client and must
match the connected host (or else you'll get a warning or error or
*gasp* nothing).
.TP 
.I "-sv private.key"
The private key file. The key (1024 bits RSA key pair) will be
automatically generated if the specified file isn't present.
.TP 
.I "pollux.cer"
The SSL certificate to be created for your host.
.SH KNOWN RESTRICTIONS
Compared to the Windows version some options aren't supported (-$, -d, -l, 
-nscp, -is, -sc, -ss). Also PVK files with passwords aren't supported.
.SH AUTHOR
Written by Sebastien Pouliot
.SH COPYRIGHT
Copyright (C) 2003 Motus Technologies. 
Copyright (C) 2004-2005 Novell. 
Released under BSD license.
.SH MAILING LISTS
Visit http://lists.ximian.com/mailman/listinfo/mono-devel-list for details.
.SH WEB SITE
Visit http://www.mono-project.com for details
.SH SEE ALSO
.BR signcode (1)
